--- x/net/bluetooth/hci_sync.c
+++ y/net/bluetooth/hci_sync.c
@@ -6553,12 +6553,14 @@ static int __hci_acl_create_connection_s
 	if (err == -ETIMEDOUT)
 		hci_abort_conn_sync(hdev, conn, HCI_ERROR_LOCAL_HOST_TERM);
 
+	hci_conn_put(conn);
 	return err;
 }
 
 int hci_acl_create_connection_sync(struct hci_dev *hdev,
 				   struct hci_conn *conn)
 {
+	hci_conn_get(conn);
 	return hci_cmd_sync_queue(hdev, __hci_acl_create_connection_sync,
 				  conn, NULL);
 }